Jason Torchinsky

There's been a lot of hype and panic about cars being hacked and terrorist teens on laptops in desert bunkers taking over your Toyota, and up to now it's been mostly all just fodder for your crazy aunt to email you about. Now, however, a first viable general-use car-hacking tool has been developed that's also cheap.

Here's the scenario: a "14-year-old in Indonesia" sits in front of a laptop, gives…
Read more Read more

It's worth noting that the device, which uses eleven extremely common parts (all added up, those parts cost $26.27)and is based on the very flexible Arduino platform, still requires that it be physically plugged into the car's CAN bus before any reading or modification of data can take place — so we're still not at a point of an evil supervillian pointing at a car on a wall-sized monitor and saying "That one. Disable the brakes."

The tool is basically an Arduino that runs the basic software and does the main work, there's a level shifter to drop the 12V to the Arduino's 5V, there's an SD card reader, a small LCD screen, and the required connectors. The tool can be controlled via wireless Bluetooth, which allows control from a smartphone, though a cell-network interface is being developed as well. The ECU Tool was announced at the DefCon 21 hackers' conference.

Advertisement

Alberto Garcia Illera and Javier Vazquez Vidal developed the tool, initially, because, as they say, they were cheap and wanted to play with the settings of their car's (and their friend's cars) ECU to get better MPG and more power. These, of course, are great reasons and for your own car that you actually own, there's no reason why you shouldn't be able to play with those settings, if you'd like.

The system currently uses the K-Line protocol which is very common on cars 2010 and older, but the pair stated the tool can be reconfigured for newer protocols easily, especially since none of the common protocols has any significant security differences, or, really, much security at all.

The two developers described many ways the device can be used, from the good (tweaking and modifing your own car's settings) to the very bad. The range of "very bad" things you can do is pretty significant, ranging from 'bricking' a car by simply unplugging the tool while the car is starting up to actually getting control of the car's ECU-controlled functions, which included turning on/off the immobilizer, applying the emergency brakes, turning on/off lights or alarms, modifying power steering control settings, and more.

The big take-away from all this should be the realization that all modern cars are essentially motorized networks of small, hard-working computers, and these networks have only the most rudimentary security protocols that can be easily overcome. Most of the "security" features are really just checksums to make sure the data being sent and received is good, and as these clever guys have shown, getting data into and out of the network is not just possible, it's cheap and easy.

Cars should be hackable by their owners, I believe. In the past, having your car's key gave you the security you needed that only you could access your car's engine for hacking. In the same way, manufacturers need to provide real security on car CAN busses only the owner or authorized agents can modify their car's settings, because even with the requirement of physically installing devices like this, there is still a great deal of room for abuse.

This tool is a great, very clever achievement that exposes how vulnerable cars really are. It opens a very important dialog between car owners and manufacturers about how we can protect our cars without losing the owner's right to access their car's brains.

Hopefully, we can come to a workable solution without the undue panic that much of the media will pour on this. Security is a very big deal, but car owners and lovers need to make sure they have access to the machines they own, cheaply and easily.